Defense Industrial Base (DIB) partners will eventually be subject to increased assessment and certification of their cybersecurity programs and systems. The Defense Department is codifying a more stringent phase of Cybersecurity Maturity Model Certification (CMMC) rules.
Small contractors and subcontractors are not excluded from what is being called CMMC 2.0. All contractors will need to provide specific assurance that they “are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”
Simplifies compliance through some level of self-assessment
Applies priorities for protecting DoD information
Reinforces cooperation between DoD and industry for addressing evolving cyber threats
Mid-sized and small government contractors should anticipate future investments and costs for complying with CMMC 2.0. The following information can help contractors prepare and potentially spread out the costs of compliance over time.
Monitor cyber readiness during the rulemaking process
CMMC 2.0 is proposing a three-tier model of compliance to implement cybersecurity standards at progressively advanced levels. For contractors regarded at the lowest Level 1, they will be required to perform an annual self-assessment affirmed by the DoD.
Although self-assessment is potentially less costly than a third-party assessment (Level 2) or government-led assessment (Level 3), it’s not as simple as it sounds. There are 15 proposed requirements at Level 1. There are also legal and financial consequences for contractors that violate the False Claims Act by affirming cybersecurity compliance when they are not compliant. That’s why it’s important for contractors to understand the rules that apply to them within a government contract as prime or subcontractors.
Observe updates on the CMMC 2.0 rulemaking process. Consult with your Gov/Con legal and accounting advisors to understand how the rules apply to your company.
Review current software, cyber solutions for necessary updates
Some contractors are already investing in software platforms with applicable cyber security built in. Software-as-a-service (SaaS) groups that specialize in Gov/Con cyber rules can provide another level of support for CMMC 2.0 compliance. A third option for contractors is to build required cyber compliance into their IT department for future self-assessment.
Some contractors are waiting to implement additional cybersecurity until the CMMC 2.0 rules are final or until they have a contract that requires it. If contractors choose to wait, they should still have a good understanding of the costs of compliance when responding to a proposal.
Build cybersecurity compliance costs into your company’s indirect rate structure when working pricing. Without factoring in these costs, they will erode future profitability and impact win rates.
Consider adequate staffing, time for future self-assessments
Future compliance and testing could cost tens of thousands of dollars between the necessary software and SaaS investments as well as internal IT staff time. Therefore, CMMC 2.0 will affect overall budget planning and accounting for contractors.
Some contractors are slowly reassessing spend in other areas of the company and applying larger budgets to future IT and cyber compliance. That way, the additional costs are not surprising once compliance is required.
If you have any questions about how to adjust budgets for cybersecurity compliance, talk to your CPA to create a realistic budget plan.
Michelle Jenkins, CPA is a partner within the Solutions Advisory Services Department of Anglin Reichmann Armstrong CPAs and Advisors. She specializes in forward pricing budget tools and enhanced accounting systems for government contractors, including KPIs.